Why the UK’s NIS Update May Mean Extra Work for In-Scope Organisations

By Phil Muncaster • 12 May 2026 • 6 min read

The Cyber Security and Resilience Bill (CSRB) continues to make its way through parliament. But the end of a lengthy legislative process is slowly coming into view. When it finally becomes law, the bill will deliver a long-overdue refresh of the NIS Regulations 2018. But what of UK organisations already complying with the EU’s overhaul of the same rules, known as NIS2?

While there are some attempts to align the two, there are also plenty of points at which they diverge. From the number of sectors considered in scope to the size of potential fines, compliance teams must start now to understand the impact of these changes. And plan for a potentially great deal of extra work.

How the CSRB Differs from NIS2

To understand just how far the CSRB diverges from NIS2, take a look at the summary of the bill on the government website. It doesn’t mention its European counterpart at all. Nor does the word “alignment” appear. In practical terms, there are several areas for compliance teams to look at:

Regulated entities: scope

The UK focuses on Operators of Essential Services (OES), Relevant Digital Service Providers (RDSPs) – which are cloud, search and marketplace providers – and a new category of Relevant Managed Service Providers (RMSPs). Its approach is to designate specific OESs, whereas NIS2 automatically drags in all medium and large entities in 18 sectors. The result is some organisations in-scope under CSRB will escape NIS2 regulation and vice versa.

Regulated entities: new categories

The CSRB introduces just one new OES category of “data centre services”, whereas NIS2 includes several: public administration, space, wastewater, food, manufacturing, postal services, waste management, and digital providers. That makes it more likely that UK organisations not regulated by CSRB will fall under NIS2.

MSPs:

RMSPs are introduced as a new category in CSRB, and they are regarded as Essential Entities or Important Entities by NIS2. But there may be different compliance requirements for each regime.

Supply chain oversight:

In the UK, “critical suppliers” to OESs, RDSPs and RMSPs can be designated by competent authorities and the Information Commissioner’s Office (ICO) and are subject to direct oversight. In NIS2 there is no direct regulatory oversight, but all in-scope entities must assess supply chain risks.

Incident definitions and reporting:

The CSRB’s definition of a regulated incident has been expanded to include events “capable of having a significant impact on the provision of an essential or digital service” as well as “incidents that significantly affect the confidentiality, availability, and integrity of a system”. Significance will be assessed industry by industry. In NIS2 incidents are those which cause operational disruption, financial loss, or material/non-material damage to others. This means the threshold for reporting may be different in the UK/EU.

However, reporting timelines – initial reporting within 24 hours of becoming aware of an incident, then full notification within 72 hours – are broadly the same in UK/EU.

Customer notification:

This is required for data centre service providers, RDSPs, and RMSPs in the UK. But there may be additional requirements under NIS2, depending on the member state interpretation of the directive.

Personal liability:

This isn’t covered in the CSRB, but NIS2 introduces significant personal accountability for senior management. This includes mandatory training for managers and personal liability for non-compliance. UK organisations complying with NIS2 will need to understand the more detailed governance requirements in the EU regime.

Penalties:

In the CSRB, standard penalties are the greater of £10m or 2% of worldwide annual turnover, but rise to £17m/4% for maximum penalties. NIS2 gives latitude to member states to decide on these, as long as they are “effective, proportionate and dissuasive”.

Registration:

Under the CSRB, RMSPs and data centre providers designated as OESs must register. In NIS2 Essential and Important Entities must register with competent authorities, but member states decide how this works. The bottom line is that UK organisations will need to assess their obligations for both separately.

General approach:

The CSRB introduces significant new information-gathering powers for competent authorities and the ICO, no matter what type of regulated organisation. NIS2 enables Important Entities to benefit from a lighter touch approach.

However, overall, the CSRB is designed to be more flexible than its European equivalent, says James Wong, a senior associate in the Tech & Digital team at global law firm Clifford Chance.

“The government will be able to issue strategic priorities and targeted directions, and regulators will be able to designate entities as ‘critical suppliers’ bringing them directly in scope of the regime,” he tells IO (formerly ISMS.online). “The bill also provides a mechanism for codes of practice, allowing for nuance tailored to context.”

The Compliance Burden Grows

Wong argues that the complexity of “local implementing laws”, secondary legislation and the potential need to engage with multiple regulators are making compliance more challenging for organisations in-scope for both NIS2 and the CSRB.

Rhiannon Webster, UK head of cybersecurity at global law firm Ashurst, adds that Brexit is starting to have a real impact on the compliance burden of UK firms operating in Europe, with this bill and the Data Use and Access Act.

“It’s taken a while to come, with privacy and cyber laws in the UK to date, being a copy and paste of their EU predecessors. However, we have some small but meaningful changes developing,” she tells IO.

“Although companies can look to comply with both regimes in a uniform way by applying the highest standard across UK and Europe, this is unlikely to be a commercial approach to compliance and companies will need to consider the differences in the regimes when adopting compliance programmes and assessing risks.”

Getting Started

Webster urges organisations to first understand whether they’re in scope for NIS2 and its UK equivalent.

“You may be surprised to hear that in the event of security incidents and meeting timescales for reporting, we often have clients who have been unsure whether they were caught by NIS2 and are trying to figure it out in the situation of a breach, which is far from ideal,” she explains.

“Compliance with standards such as ISO 27001 could be used to ensure that your information security requirements are proportionate.”

Clifford Chance’s Wong explains that a “unified cyber-readiness programme mapped to all relevant legal and regulatory requirements”, should be the main goal for compliance teams.

“Using established frameworks such as ISO 27001 can streamline compliance and make it easier to demonstrate core practices across multiple jurisdictions. Such frameworks provide a structure to build from, but are only a base and must be adapted to local obligations,” he adds. “Regular reviews ensure the programme remains fit for purpose as requirements change over time.”

For complex business operations that span multiple jurisdictions, best practices become even more important, Wong says. He points to “proactive leadership”, prioritising risks and controls, regular tabletop exercises, strong supply-chain relationships and putting the right tooling in place.

Whichever way you look at it, the price of operating across the UK and EU is set to increase.